One of the vulnerabilities, designated as CVE-2024-21626, impacts runC, the lightweight container runtime for Docker and other container environments.
It is the most urgent of the four vulnerabilities, with a severity score of 8.6 out of a possible 10 on the CVSS scale.
Rory McNamara, staff security researcher at Snyk, says the runC vulnerability enables container escape at both build-time and run-time of the container.
In worst-case scenarios, an attacker who gains unauthorized access to an underlying host operating system can potentially access anything else running on the same host, including, but not limited to, key credentials that allow the adversary to launch further attacks.
One of them involves a race condition related to how cache layers are mounted during runtime.
Another affects a security model in BuildKit's remote procedure call protocol; the third vulnerability is a file delete flaw, also in BuildKit.
Snyk cited the wide use of the affected container image components and build tools as a reason why organizations should upgrade to fixed versions as soon as their providers make them available.
Two of the Docker BuildKit vulns are build-time only escapes.
A Growing Problem Container vulnerabilities present a growing problem for enterprise organizations.
A study that Sysdig conducted last year found that 87% of container images in production have at least one high or critical severity vulnerability in them.
The company attributed the high percentage of vulnerabilities to the rush by organizations to deploy cloud applications without paying appropriate attention to security issues.
Research by Rezilion in 2023 uncovered hundreds of Docker container images containing vulnerabilities that standard vulnerability detection and software composition analysis tools could not detect.
The trend has caused perceptions around container security to change over the last year.
A survey by D-Zone, for example, found only 51% of respondents describing containerization as making their applications more secure, compared with 69% in 2021.
Some 44% said containerization had actually made their application environment less secure, compared with just 7% in 2021.
High Access Requirements McNamara says the four vulnerabilities that Snyk discovered are relatively simple to exploit and typically involve less than a 30-line Dockerfile.
There is a high access requirement, he says.
To exploit the flaws, an attacker would need to be able to do the following: run an arbitrary container on the target; build an arbitrary container on the target; or compromise an upstream container or cause a victim system to use a controlled upstream container.
The flaws are not really remotely executable except in the sense that Kubernetes and similarly affected environments are network accessible, McNamara says.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 31 Jan 2024 22:25:15 +0000